Information security has specific implications for technology
operations. Data center operations should support and complement
the financial institution's information security architecture and
processes. Refer to the IT Handbook's "Information Security
Booklet" for additional information.

As part of the information security program, management should
implement an information classification strategy appropriate to the
complexity of its systems. Generally, financial institutions should
classify information according to its sensitivity and implement
controls based on the classifications. IT operations staff should
know the information classification policy and handle information
according to its classification.

IT operations staff should be aware of the organization's
information security program, how it relates to their job function
and their role as information custodians. As custodians, the IT
operations staff has the responsibility of protecting the
information as it is processed and stored.

Management should employ the principle of least possible
privilege throughout IT operations. The principle provides that
individuals should only have privileges on systems and access to
functions that are required to perform their job function and
assigned tasks. Access privilege may include read-only, read/write,
or create/modify. Even read-only access poses risk since employees
can print or copy sensitive customer information for inappropriate
use. System administrator and security administrator level access
allow an individual to change access privileges to systems and
information. Individuals with these roles and privileges should
have minimal transactional authority. Independent employees should
monitor the system and security administrator activity logs for
unauthorized activity. Smaller operations centers are challenged in
implementing separation of duties and the principle of least
privilege because they frequently do not have the resources.
Management at smaller institutions should establish compensating
controls in these circumstances.

Network and system monitoring and maintenance tools can provide
IT operations staff with inappropriate access to sensitive
information. These hardware and software monitoring and maintenance
tools observe equipment for error conditions, faulty links, or
other problems. These utilities may also allow operations staff
powerful access to operations center equipment. Because monitoring
tools such as network sniffers, network diagnostics tools, and
network management utilities can circumvent traditional safeguards,
management should control access to them. Controls for such tools
should include:

Policies defining appropriate use;

Least possible privilege;

Usage logs;

Reports to management and audit on use of monitoring
tools;

Password protection and lockout facilities;

Physical protection (e.g., a locked cabinet); and

Dual control of equipment (i.e., two individuals need to
operate equipment together).

Remote monitoring and administration tools pose special risks to
information security. Remote tools allow operators to connect
through a remote function and perform activities they would
normally perform on-site. Some financial institutions have approved
remote access technologies as a central, common solution for all
employees who require remote access. Information security personnel
should scrutinize and monitor remote access closely. Remote access
solutions that are available continuously or for extended periods
of time pose the greatest risk to a financial institution. Because
remote access solutions potentially bypass information security
controls, management should evaluate and implement appropriate user
access, activity logging, and time of day controls to minimize the
risk of unauthorized access.

Other types of remote access such as modems attached to systems
or special maintenance ports may circumvent the central, approved
remote access solution. Information security personnel may overlook
these remote access points, which might allow unauthorized
individuals to access sensitive equipment. Management should
routinely review the network topology and hardware inventory to
ensure the identification and control of all remote access points.
Management should also document strict policies about the
consequences of unauthorized use of modems or other access devices
without implicit approval.